The malware affects Android smartphones, and it is called
Android.Bankosy. It specifically targets two-factor
authentication codes delivered by automated phone call. Normally,
after entering a password, the user will receive an automatic
call from the company, which will reveal the OTP code.

But Android.Bankosy redirects the user's phone calls to the phone
of the attacker, letting the hacker steal the OTP code and access
the account. Two-factor is often used to protect bank accounts —
meaning bypassing it can be highly lucrative for hackers.

Some two-factor systems use text messages rather than phone calls
to deliver codes, and Symantec says it has seen malware capable
of stealing these too.

Of course, for this exploit to work, the attacker has to be able
to get the malware onto the smartphone in the first place. A
hacker might do this by exploiting another security hole or by
hiding in an app installed from outside the Google Play Store.

Similarly, the hacker also needs the user's original password.
This might be stolen via a "man-in-the-middle" attack when the
user is browsing on an insecure network, or via keylogging
malware.